Cyber Security (CS)

GTU - 3150714

Unit-1
Systems Vulnerability
Scanning

Prof. Maulik D Trivedi

Computer Engineering Department
Darshan Institute of Engineering & Technology, Rajkot
maulik.trivedi@darshan.ac.in
+91-9998265805
 Outline
Looping
• Basic Fundamental Concepts of Computer Networks
• Overview of vulnerability scanning
• Open Port / Service Identification
• Banner / Version Check, Traffic Probe
• Vulnerability Probe, Vulnerability Examples
• Networks Vulnerability Scanning
• Understanding Port and Services tools
• Network Reconnaissance
• Network Sniffers and Injection tools
Basic Fundamental Concept
 IP Address
 An Internet Protocol address (IP address) is a numerical label assigned to each device (e.g., computer,
printer) participating in a computer network that uses the Internet Protocol for communication.
 An IP address serves two principal functions: host or network interface identification and location
addressing.
 Two Version of IP address:
 IPv4
 IPv6
 IPv4 uses 32-bit for address. Example: 192.168.1.1
 IPv6 uses 128-bit for address. Example: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
 IP addresses are usually written and displayed in human-readable notations.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 4

Basic Fundamental Concept – Cont.
 MAC Address
 A media access control address (MAC address) is a unique identifier assigned to network interfaces for
communications on the physical network segment.
 MAC addresses are used as a network address for most IEEE 802 network technologies,
including Ethernet, Wi-Fi & Bluetooth.
 It is also known as physical address or hardware address.
 The MAC address is a string of usually six sets of two-digits or characters, separated by colons.
 For example, consider a network adapter with the MAC address 01:0a:95:9d:58:36.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 5

Basic Fundamental Concept – Cont.
 Computer Network:
 A computer network is a telecommunications network which allows computers to exchange data.
 In computer networks, networked computing devices exchange data with each other along
network links (data connections).
 The connections between nodes are established using either cable media or wireless media.
 The best-known computer network is the Internet.
 Computer Port:
 In computer hardware, a port serves as an interface between the computer and other computers or peripheral
devices.
 Computer ports have many uses, to connect a monitor, webcam, speakers, or other peripheral
devices.
 On the physical layer, a computer port is a specialized interface on a piece of equipment to
which a plug or cable connects.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 6

Basic Fundamental Concept – Cont.
 DNS stand for “domain name system”.
 It converting human-readable website name into computer-readable numerical IP addresses.
 For example:
 If you want to visit Google, then open www.google.com into your web browser‘s address bar instead of IP
address. However, your computer does not understand where www.google.com is located.
 Behind the scenes, the internet and other network use numerical IP addresses.
www.google.com is located at the IP address 73.194.39.78 on the internet.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 7

Overview of Vulnerability Scanning
 Vulnerability
 vulnerability is a weakness which allows an attacker to reduce a system’s security.
 Vulnerability scanning usually refers to the scanning of systems that are connected to the
Internet.
 It can also refer to system scanning or audits on internal networks that are not connected to
the Internet in order to assess the threat of malicious software.
 It is possible to know the basic security measures when installing and managing network and
websites. but it is not possible to catch all the vulnerabilities reside in the network and
websites.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 8

Overview of Vulnerability Scanning – Cont.
 The vulnerability scanners provide you the automate security auditing and play an important
role in your IT security.
 The vulnerability scanners can scan your network and websites for up to thousands of different
security risks.
 It produces a list of those vulnerabilities, and gives steps on how to overcome or reduce them.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 9

Types of Vulnerability Scanners
 There are generally two types of vulnerability scanning tools:
1. Network-based scanning tool:
 Network-based scanning tools send network traffic to various network hosts and devices.
 It with the goal of gathering information that will indicate whether those systems have holes
that can be exploited.
 Example: OpenVAS, Wireshark, NMAP, Nikto etc.
2. Host-based scanning tool:
 Host-based scanning tools are run on each host to scan for a wide range of system problems.
 It including unauthorized software, unauthorized accounts, unprotected logins, weak
passwords and inappropriate access permissions.
 Example: OSSEC

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 10

Types of Vulnerability Scanners
 Cloud-Based Vulnerability Scanners
 Used to find vulnerabilities within cloud-based systems such as web applications, WordPress,
and Joomla.
 Host-Based Vulnerability Scanners
 Used to find vulnerabilities on a single host or system such as an individual computer or a
network device like a switch or core-router.
 Network-Based Vulnerability Scanners
 Used to find vulnerabilities in an internal network by scanning for open ports. Services running
on open ports determined whether vulnerabilities exist or not with the help of the tool.
 Database-Based Vulnerability Scanners
 Used to find vulnerabilities in database management systems. Databases are the backbone of
any system storing sensitive information. Vulnerability scanning is performed on database
systems to prevent attacks like SQL Injection.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 11

False Negative
 The vulnerability scanners use predefined tests to identify vulnerabilities (also called vulns).
 If the scanner has insufficient test then the scanner does not report the vulnerability exists on
the system.
 It can be known as false negative.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 12

Zero-day Vulnerability
 Zero-day vulnerability refers to a hole in software that is unknown to the vendor.
 This security hole is then exploited by hackers before the vendor becomes aware and hurries to
fix it- this exploit is called a zero day attack.
 Zero-day vulnerabilities are particular dangerous because they represent a gap in knowledge
between the attacker and defender.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 13

False Positive
 If the scanner has a poorly written test then scanner reports vulnerability even if it does not
exist on a system. It may produce a false positive.
 It wastes time as administrators must follow up to manually check the vulnerability that is
actually vulnerable or not.
 Some of the free and very useful vulnerability scanners are:
 Netcat
 Socat

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 14

Open Port / Service Identification
 Some services are very insecure. Telnet (port 23) is famous for its lack of encryption that leaks
passwords.
 Hence Secure Shell (SSH) is widely accepted and reduced the presence of telnet on the
Internet.
 Services do not always run on default ports, hence the scanner must rely on banners and
“nudges” to produce a response from a listening port.
 Services do not always declare themselves. Telnet and SMTP (port 25) services return text-
based banners when receives request for connection. It does not wait for particular incoming
data on that connection.
 HTTP (port 80) will not respond for connection until the service receives a request that
contains data.
 This way, scanners may distinguish whether an HTTP or SMTP service is listening on non-
standard port.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 15

Banner / Version Check
 Some services declare information about themselves without receiving particular data from a
client.
 Banner Grabbing:
 Banner grabbing is a technique used to gain information about a computer system on a network and the
services running on its open ports.
 Administrators can use this to take inventory of the systems and services on their network.
 Tools commonly used to perform banner grabbing are Telnet, nmap, zmap and Netcat.
 Example:
 SSH command
 If you know the version of SSH and target operating system then it is very easy for someone to
compromise the host.
 System administrators usually remove or change banners to make them more secure, but this
doesn’t remove the vulnerability.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 16

Probe
 In Computer Security, a probe is an attempt to gain access to a computer and its files through a
known or probable weak point in the computer system.
 A probe is an action taken or an object used for the purpose of learning or collecting data about
the state of the network.
 For example, an empty message can be sent simply to see whether the destination actually
exists. Ping is a common utility for sending such a probe.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 17

Two Type of Probe
1. Traffic Probe
2. Vulnerability Probe

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 18

Traffic Probe
 Some services declare information about themselves without receiving particular data from a
client.
 But all services do not do that. However, lots of them will if you just ask.
 For example, a web service will not give response until it receives data from the client.
 A valid HTTP request using the HEAD method will provide some useful information like web
server information, information about installed server operating system etc. which can be
useful to compromise the host.
 Traffic probes try to use valid requests. Because valid protocol messages are less likely to
crash or interrupt a service
 If a web server didn’t handle the HEAD method without crashing then the chances of
compromising increases. So this type of buggy service must need to be fixed to lower the
chances of compromising.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 19

Vulnerability Probe
 Some security bugs cannot be identified without sending a payload that exploits (using
something to one’s own advantage) a suspected vulnerability.
 These types of probes are more accurate—they rely on direct observation not only on port
numbers or service banners.
 But they also carry more risk of interrupting the service, because the test payload must be
trying to either produce or take advantage of an error in the service’s code.
 An easy-to-understand example of a vulnerability probe is an HTML injection check for a web
application.
 A snippet of HTML might look like <div id="search"><span class="results">Results for
‘zombies'...</span>
 An attacker who exploits HTML injection vulnerability like this could steal data from the user or
damage the web site.
 The hacker can take advantage of vulnerability to compromise the system or network.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 20

Vulnerability Probe – Cont.
 The outcome may be to crash the software, causing a denial of service, or retrieve data, like
pulling usernames and passwords from a database, or completely compromise the operating
system by gaining root or administrator access.

 Exploits take many shapes. It can be simple binary shellcode or clever bits of text appended to
URL parameters.

 Discovering vulnerability typically just means uncovering a software fault.

 Developing an exploit means taking advantage of that software fault to give the attacker an
advantage against the system.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 21

TCP/IP Ports and Sockets
 On a TCP/IP network every device must have an IP address.
 The IP address identifies the device e.g. computer.
 However an IP address alone is not sufficient for running network applications, as a
computer can run multiple applications and/or services.
 Just as the IP address identifies the computer, The network port identifies the application or
service running on the computer.
 The diagram below shows a computer to computer connection and identifies the IP addresses
and ports.
 A socket is the combination of IP address + port
 A connection between two computers uses a socket.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 22

Port Number Ranges and Well Known Ports
 A port number uses 16 bits and so can therefore have a value from 0 to 65535 decimal.
 Port numbers are divided into ranges as follows:
 Port numbers 0-1023 – Well known ports.
 These are allocated to server services by the Internet Assigned Numbers Authority (IANA).
 e.g Web servers normally use port 80 and SMTP servers use port 25.
 Ports 1024-49151- Registered Port
 These can be registered for services with the IANA and should be treated as semi-reserved.
 User written programs should not use these ports.
 Ports 49152-65535
 These are used by client programs and you are free to use these in client programs.
 When a Web browser connects to a web server the browser will allocate itself a port in this range.
 Also known as ephemeral ports.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 23

Common Well Known Port Numbers
Number Assignment
20 File Transfer Protocol (FTP) Data Transfer
21 File Transfer Protocol (FTP) Command Control
22 Secure Shell (SSH) Secure Login
23 Telnet remote login service, unencrypted text messages
25 Simple Mail Transfer Protocol (SMTP) E-mail routing
53 Domain Name System (DNS) service
67, 68 Dynamic Host Configuration Protocol (DHCP)
80 Hypertext Transfer Protocol (HTTP) used in the World Wide Web
110 Post Office Protocol (POP3)
119 Network News Transfer Protocol (NNTP)
123 Network Time Protocol (NTP)
143 Internet Message Access Protocol (IMAP) Management of digital mail
161 Simple Network Management Protocol (SNMP)
194 Internet Relay Chat (IRC)
443 HTTP Secure (HTTPS) HTTP over TLS/SSL

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 24

Port Scanning 
 Port scanner: Software designed to probe server or host for Open ports.
 Used by administrator to verify security policy.
 Used by attacker to identify running services on host.
 Port scan: A process that sends a client request to server for finding active ports.
 Open port: Host sends a reply indicating port is active.
 Close port: Host sends a reply that connection will be denied.
 Filtered: There was no reply from the host.
 Vulnerability can be with open ports or operating system of running host.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 25

Metasploit
 Metasploit is an open-source framework used for security development and testing.
 It is best tool for developing and executing exploit code against a remote target machine.
Tools REX Console

CLI
Metasploit Framework Core
Web

Framework
Plugins
Metasploit Framework Base GUI

Interfaces

Auxilaries Encoders NOPS Exploits Payloads

Modules

 Modules built on top of libraries, accessed via interfaces to conduct exploitation tasks. Plugins
hook directly into the framework to add commands to the interface, etc.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 26

Metasploit – Cont.
 Using the built-in tools available in Metasploit, security professionals can conduct penetration
tests, verify patch installations and even perform regression testing.
 Source code of Metasploit is in ruby.
 The tool has about 500 modules, including hundreds of remote exploits that can be useful for
various releases of Windows, Linux, UNIX, and the Mac OS.
 Metasploit is very easy to use even a person who can drive a mouse or a keyboard can take
over a vulnerable system.
 It uses PostgresSQL database to manage data for scans, sessions, and post-hack information.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 27

Metasploit Hacking Session Steps
 A Metasploit hacking session progresses through several steps:
 First, you must have to identify target.
 Next, Choose an exploit to use against a vuln on the target.
 Customize the exploit to the target, which usually just requires specifying the IP address
against which to run the exploit.
 Next, select a payload. Like the exploit, usually just requires specifying an IP address; in some
cases you might change a TCP port number.
 Finally, launch the customized exploit and await the successful compromise of the target.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 28

Difference between Payload and Exploits
 A payload refers to the part of malware which performs a malicious action.
 In the analysis of malicious software such as worms, viruses and Trojans, it refers to the
software's harmful results.
 Examples of payloads include data destruction, messages with insulting text or spam e-mail
messages sent to a large number of people.
 An exploit (meaning "using something to one’s own advantage") is a piece of software, a chunk
of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to
cause unexpected behaviour to occur on computer software, hardware, or something
electronic.
 Such behaviour includes things like gaining control of a computer system or a denial-of-service
attack.
 The exploit is what delivers the payload.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 29

Example: Payload and Exploits
 Take a missile as an analogy. You have the rocket and fuel and everything else in the rocket,
and then you have the warhead that does the actual damage.
 Without the warhead, the missile doesn't do very much when it hits.
 Additionally, a warhead isn't much use if it goes off in your bunker without a rocket delivering it.
 The delivery system (missile) is the exploit and the payload (warhead) is the code that actually
does something.
 Exploits give you the ability to 'pop a shell/run your payload code’.
 Example payloads are things like Trojans/RATs, keyloggers, reverse shells etc.
 Payloads are only referred to when code execution is possible and not when using things like
denial of service exploits.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 30

Network Vulnerability Scanning - Netcat
 The Netcat performs function with a broad application to hacking and network debugging: It
reads and writes data for TCP and UDP connections.
 Netcat enables you to redirect shell commands across a network
 Netcat interacts directly with a TCP or UDP service.
 You can inspect the raw data sent by a service, manually interact with the service, or redirect
network connections with stdin, stdout.
 You can connect to text-based protocols like SMTP and HTTP, UDP services like DNS, and even
binary protocols.
 Netcat is often called the “Swiss Army knife” of hacking.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 31

Uses of Netcat
 Hackers have come up with hundreds of ways to use Netcat.
 Some of the uses of Netcat are given here in detail:
 Obtain Remote Access to a Shell
 Perform Basic Port Scanning
 Identify more information about ports
 Communicate with UDP Services
 For IP Spoofing
 Hijack a Service
 Create Proxies and Relays
 Bypass Port Filters

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 32

Socat
 Socat is a clone of Netcat with extensive configuration options.
 It supports several protocols, from OpenSSL to proxies to IPv4 and IPv6.
 Socat uses word-based directives on the command line.
 Socat is part of the BSD ports collection and available as a package for most Linux OS.
 Socat’s command line follows a simple format, as follows:
 $ socat options address1 address2
 The options resemble common “dash letter” flags such as -d, -h, and -v.
 A basic address specification consists of a keyword, followed by a list of parameters and
behaviour options.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 33

Socat – Cont.
 Address specifications are not case sensitive, but we will define them in uppercase to help
distinguish them on the command line.
 For example, the following command connects stdio (the first address) to TCP port 80 on a
remote host (the second address):
 $ socat STDIO TCP:deadliestwebattacks.com:80
 Since the first address is stdio, you can pipe data into the command just as you would with nc
or any other shell command. Traffic is forwarded between the two addresses.
 Hence, the data piped into stdio is forwarded to the TCP host, whose response makes the round
trip back through stdio.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 34

Datapipe
 A port redirection tool passes TCP/IP traffic received by the tool on one port to another port to
which the tool points.
 A port redirection tool functions as a channel for TCP/IP connections.
 For example, you could place a datapipe on a system between a browser and a web server.
 If you pointed the browser to the listening port of the system with the redirection tool, the
browser would see the contents of the web server without having to directly access the web
server’s IP address.
 Datapipe is a Unix-based port redirection tool. It runs on the UNIX OS.
 $ ./datapipe
 ./datapipe localhost localport remotehost remoteport

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 35

Datapipe – Cont.
 The localhost argument indicates the IP address on which to open the listening port.
 It may be the localhost interface (i.e., 127.0.0.1) or the address of a network interface on the
 local system from which the datapipe command is being executed.
 The localport argument indicates the listening port on the local system; connections will be
made to this port number.
 On UNIX systems, you must have root privileges to open a listening port below 1024.
 If you receive an error similar to “bind: Permission denied,” your account may not have
privileges to open a reserved port.
 The remoteport argument indicates the port to which data is to be forwarded.
 For example, in most cases if the target is a web server, the remoteport value will be 80.
 The remotehost argument indicates the hostname or IP address of the target.
 The easiest conceptual example of port redirection is forwarding HTTP traffic.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 36

Datapipe – Cont.
 Here we set up a datapipe to listen on a high port, 9080 in this example, that redirects to a web
site of our choice:
 $ ./datapipe my.host 9080 80 www.google.com
 Now, we enter this URL into a web browser:
 http://my.host:9080/
 You should see Google’s home page.
 Datapipe performs a basic function, but with a little creativity you can make it a powerful tool.
 Port redirection forwards traffic between TCP ports only.
 It does not perform protocol conversion or any other data manipulation.
 Redirecting web traffic from port 80 to port 443 will not change HTTP connections to encrypted
HTTPS connections.
 Use an SSL proxy instead, such as Stunnel.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 37

FPipe
 It implement port redirection techniques natively in windows. It adds UDP protocol and
outbound source port number support, which does not in datapipe.
 FPipe is a TCP source port forwarder/redirector. It can create a TCP / UDP stream with a sourse
port of your choice. This is useful for getting past firwalls that allow traffic with source ports of
23, to connect with internal servers.
 Fpipe runs on windows operating system. There is no need of priviledge user account and
support from dynamic link library.
 Fpipe can run on local host of the application that you are trying to use to get inside firewall.
 When you start Fpipe, it will wait for a client to connect on its listening port.
 It makes a listening connection is made a new connection to the destination machine and port
with the specified local source port will be made.
 When the full connection has been established, Fpipe forwards all the data received on its
inbound connection to the remote destination port beyond the firewall.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 38

Fpipe Option
Sr No. Option Description
1 -? Or -h Display Help
2 -c Max. allows simultaneous TCP connections. Default 32 connections are allowed.
3 -i Listening interface IP address
4 -l Listening port number
5 -r Remote port number
6 -s Source port used for outbound traffic
7 -u It support UDP mode
8 -v For verbose mode

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 39

Winrelay
 Winrelay is windows based port redirection tool. It uses static source port for redirected traffic.
 Some antivirus software consider as malicious software.
 Online games use datapipe and fpipe tools. Port redirction tools are useful for assigning the
alternative port to a service.
 Source:
 www.ntsecurity.nu/toolbox/winrelay/

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 40

Network Reconnaissance
 Reconnaissance attack is a kind of information gathering on network system and services. This
enable the attacker to discover vulnerabilities or weaknesses on the network.
 Reconnaissance attack can be active or passive.
 Tools are:
 AMAP: Application Mapper, uses the results from Nmap to mine for more information.
 Nessus: It is vulnerability scanner.
 Scanrand: It is fast network scanner.
 Paratrace: TCP traceroute that utilizes selected TTL messages.
 Intruders are increasingly making use of compromised hosts to launch reconnaissance againt
target networks.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 41

NMAP
 Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and
security auditing.
 Many systems and network administrators also find it useful for tasks such as network
inventory, managing service upgrade schedules, and monitoring host or service uptime.
 Nmap uses raw IP packets in novel ways:
 To determine what hosts are available on the network.
 Available services (application name and version) those hosts are offering.
 Operating systems (and OS versions) they are running.
 Type of packet filters/firewalls are in use.
 It was designed to rapidly scan large networks, but works fine against single hosts.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 42

 Nmap runs on all major computer operating systems, and official binary packages are available
for Linux, Windows, and Mac OS X.
 In addition to the classic command-line Nmap executable, the Nmap suite includes:
 An advanced GUI and results viewer (Zenmap).
 A flexible data transfer, redirection, and debugging tool (Ncat).
 A utility for comparing scan results (Ndiff).
 A packet generation and response analysis tool (Nping).
 It was even featured in twelve movies, including The Matrix Reloaded, Die Hard 4, Girl With the
Dragon Tattoo, and The Bourne Ultimatum.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 43

NMAP Characteristics and Source
 Flexible
 Powerful
 Portable
 Easy
 Free
 Well Documented
 Supported
 Acclaimed
 Popular

 Source:
 http://nmap.org/

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 44

THC – Amap (The Hackers Choice Amap)
 Amap was the first next-generation scanning tool for pentesters.
 It attempts to identify applications even if they are running on a different port than normal.
 It also identifies non-ascii based applications.
 This is achieved by sending trigger packets, and looking up the responses in a list of response
strings.
 Most of port scanners assume that if a particular port is open, then default application for that
port must be present.
 Amap probes these ports to find out what is really running on that port.
 Source:
 https://github.com/vanhauser-thc/THC-Archive/tree/master/Tools
 http://thc.segfault.net/thc-amap/

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 45

THC – Amap Modes
Sr. No. Modes Remarks
1 -A It identifies the service associated with the port.
2 -B This mode does not perform identification.
3 -P It conducts a port scan.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 46

Network Sniffers and Injection
 A packet sniffer is a wire-tap device that plugs into computer networks and eavesdrops on the
network traffic.
 Sniffers are the best tools for hackers to attack computers.
 Network administrators use sniffers for network troubleshooting and security analysis.
 Many sniffing and anti-sniffing packages available on the internet for download.
 Network sniffers tools are used to watch over networks as well as collect all kinds of
information including diagnostic information.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 47

Usages of Network Sniffer tools
 Sniffing packages used for network traffic analysis to:
1. Identify the type of network application used.
2. Identify the hosts using network.
3. Identify the bottlenecks.
4. Capture data sniffing packages used for troubleshooting of network application.
5. Create network traffic logs.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 48

TCPdump
 TCPdump is a network debugging tools runs under command line. It allows user to intercept
and display TCP/IP and other packets being transmitted or received over a network.
 It is frequently used to debug applications that generate or receive network traffic.
 TCPdump also used for debugging the network setup itself, by determining whether all
necessary routing is occurring properly, allowing the user to further isolate the source of a
problem.
 It is UNIX based tool.
 It is used to gather data from network, decipher the bits and display the output in a semi
coherent fashion.
 TCPdump uses the libpcap library to capture packets. It can be used for intercepting and
displaying the communications of another user or computer.
 Source:
 http://www.tcpdump.org

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 49

TCPdump Commands
 TCPdump can only be used by root user. It can decode and monitor the header data of
 Internet protocol (IP)
 Transmission Control Protocol (TCP)
 User Datagram Protocol (UDP)
 Internet Control Message Protocol (ICMP)
 It captures packets based on a wide range user-specified criteria, and can save the traffic in
different formats.
 Syntax:
 tcpdump [ -AdDefIKlLnNOpqRStuUvxX ] [ -B buffer_size ] [ -c count ]
[ -C file_size ] [ -G rotate_seconds ] [ -Ffile ][ -i interface ] [ -m module ] [ -M secret ][ -r file ] [ -s snaplen ] [ -
T type ] [ -w file][ -W filecount ][ -E spi@ipaddr algo:secret,... ][ -y datalinktype ] [ -z postrotate-command ] [ -
Z user ] [ expression ]

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 50

TCPdump Commands Example
 To print all packets arriving at or departing from sundown:
 $ tcpdump host sundown
 To print traffic between helios and either hot or ace:
 $ tcpdump host helios and \( hot or ace \)
 To print all IP packets between ace and any host except helios:
 $ tcpdump ip host ace and not helios
 To print all traffic between local hosts and hosts at Berkeley:
 $ tcpdump net ucb-ether
 To print all ftp traffic through internet gateway snup: (note that the expression is quoted to
prevent the shell from (mis-)interpreting the parentheses):
 $ tcpdump ip and not net localnet

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 51

Output of TCPdump
 TCPdump or Windump has default output length of the size of datagram is 68 bytes.
 TCPdump does not collect whole output for display.

Output of TCPdump = Frame Header + IP Header + TCP Header + TCP Data

68 bytes = 14 bytes + 20 bytes + 20 bytes + 14 bytes

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 52

Windump
 It is a free version of TCPdump for windows. Windump comes in two parts.
1. WinPcap: It is a set of network capture drivers which uses to obtain packet-level access to network
interfaces in the computer.
2. Windump a program itself is invoked from the command line after installing the WinPcap library.
 Windump supports all TCPdump’s flags, parameters and settings.
 Source:
 https://www.winpcap.org/
 Syntax:
 C:\> windump [-aBdDeflnNOpqRStvxX] [-c count ] [-F file ]
[ -I interface ] [ -m module ] [-r file ]
[ -s snaplen ] [ -T type ] [ -w file ]
[ -E algo:secret ] [ expression ]

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 53

Windump Example
 See all packets in the capture file
 windump -n -r filename.pcap
 Show only the first 2 packets
 windump -n -r flename.pcap -c 2
 Tracking host by source MAC address
 windump -n -r filename.pcap -e "ether src 00:a0:cc:3b:bf:fa"
 Tracking host by destination MAC address
 windump -n -r filename.pcap -e "ether dst 00:a0:cc:3b:bf:fa"
 Tracking host by IP, whether that IP is source or destination
 windump -n -r filename.pcap "host 192.168.0.1"
 Track host by source IP
 windump -n -r filename.pcap "src host 192.168.0.1"
 Track host by destination IP
 windump -n -r filename.pcap "dst host 192.168.0.1"

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 54

Wireshark
 Wireshark is a free and open source packet analyzer.
 It is used for network troubleshooting, analysis, software and communication protocol
development and education.
 It runs on Linux, UNIX, OSx, BSD, Solaris, and Microsoft windows.
 It provides following functionality:
 Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated sorting and filtering
options.
 User can see all traffic visible on that interface.
 If a remote machine captures packets and sends the captured packets to a machine running Wireshark using
the TZSP protocol. So it can analyse packets captured on a remote machine at the time they are captured.
 It understands the structure of different networking protocols. It can parse and display the fields along with
their meanings as specified by different protocols.
 You can use it to review traffic captured by tools like tcpdump or WinDump or use it to capture traffic directly.
 It also supports capture formats from several other commercial and open source network sniffers.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 55

Ettercap
 Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN.
 It can be used for computer network protocol analysis and security auditing.
 It runs on various UNIX- like operating systems including Linux, mac os x, BSD and Solaris, and
on Microsoft windows.
 It is capable of intercepting traffic on a network segment, capturing passwords and conducting
active eavesdropping against a number of common protocols.
 Ettercap works by putting the network interface into promiscuous mode and by ARP poisoning
the target machines.
 Thereby it can act as a ‘man in the middle’ and unleash various attacks on the victims.
 Ettercap supports active and passive dissection of many protocols and provides many features
for network and host analysis.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 56

Ettercap - Modes of Operation
 Ettercap offers four modes of operation.
 These are as follows:
 IP-based: packets are filtered based on IP source and destination.
 MAC-based: packets are filtered based on MAC address, useful for sniffing connections through a gateway.
 ARP-based: uses ARP poisoning to sniff on a switched LAN between two hosts.
 PublicARP-based: uses ARP poisoning to sniff on a switched LAN from a victim host to all other hosts.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 57

Features of Ettercap
 Character injection into an established connection. Characters can be injected into a server or
to a client while maintaining a live connection.
 It supports sniffing of a password and username and even the data of an SSH1 connection.
 It supports sniffing of HTTP SSL secured data-even when the connection is made through a
proxy.
 It supports in setting up a filter that searches for a particular string in the TCP or UDP payload
and replaces it with a custom string or drops the entire packet.
 It can determine the OS of the victim host and its network adapter.
 It can kill connections of choices from the connection-list.
 It can hijack DNS requests.
 It can also find other poisoners on the LAN actively or passively.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 58

Hping
 Hping is a free packet generator and analyzer for the TCP/IP protocol. It is one of the tools for
security auditing and testing of firewalls and networks.
 It was used to exploit the idle scan scanning technique and now implemented in the NMAP
security scanner.
 The new version of hping, hping3, is scriptable using the tcl language and implements an
engine for string based, human readable description of TCP/IP packets, so that the programmer
can write scripts related to low level TCP/IP packet manipulation and analysis in very short
time.
 Hping also has a listen mode, enabling it to be used as an unsophisticated backdoor for covert
remote access or file transfers.
 Hping’s “listen” mode can be used for receiving data.
 When hping is in listen mode, it monitors traffic for a special “signature” that indicates it should
capture the data to follow.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 59

Use of Hping
 Determining a Host’s Status When Ping Doesn’t Work.
 Testing Firewall Rules.
 Stealth Port Scanning.
 Remote OS Fingerprinting.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 60

Kismet
 Kismet is a free software and it is network detector, packet sniffer and intrusion detection
system for 802.11 wireless LANs.
 Kismet will work with any wireless card which supports raw monitoring mode and can sniff
802.11a, 802.11b, 802.11g and 802.11n traffic.
 This runs under Linux, FreeBSD, NetBSD, openBSD, and mac OS X, Microsoft windows.
 Kismet has three separate parts.
 These are as follows:
 A drone: it can be used to collect packets and then pass them on to a server for interpretation.
 A server: it can either be used in conjunction with a drone or on its own, interpreting packet data and
extrapolating wireless information and organizing it.
 The client: it communicates with the server and displays the information the server collects.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 61

Features of Kismet
 Kismet differs from other wireless network detector in working passively.
 It is able to detect the presence of both wireless access and wireless client.
 Kismet also includes basic wireless IDS features such as detecting active wireless sniffing
programs including NetStumbler, as well as a number of wireless network attacks.
 It has the ability to log all sniffed packets and save them in a tcpdump/wireshark compatible
file format.
 Kismet can also capture “per-packet information” headers.
 It has ability to detect default or not configured networks, probe requests, and determine what
level of wireless encryption is used on a given access point.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 62

Features of Kismet – Cont.
 Kismet supports channel hoping.
 This means that it is constantly changes from channel to channel non-sequentially, in a user
defined sequence with a default value that leaves big holes between channels.
 The advantage with this method is that it will capture more packets because adjacent channels
overlap.
 Kismet also supports logging of the geographical coordinates of the network if the input from a
GPS receiver is additionally available.

Prof. Maulik D Trivedi #3150714 (CS)  Unit 1 – Overview of System Vulnerability 63

 Cyber Security (CS)
GTU - 3150714

Thank
You

Prof. Maulik D Trivedi

Computer Engineering Department
Darshan Institute of Engineering & Technology, Rajkot
maulik.trivedi@darshan.ac.in
+91-9998265805